Film Claims US Hacked Iran's Critical Infrastructure

The United States hacked into Iran's military and civilian infrastructure as part of a secret program code-named "Nitro Zeus" that was designed to disable the country's critical infrastructure on demand, using malware.

That claim comes from "Zero Days," a new film by Oscar-winning documentary filmmaker Alex Gibney that's set to debut Feb. 17 at the Berlin Film Festival, news site BuzzFeed first reported.

The film's title is a reference to the Stuxnet virus, which was apparently designed to cripple nuclear enrichment centrifuges at Iran's secure Natanz facility, in what is believed to be the first piece of malware ever designed to disable physical infrastructure. To help accomplish that, the malware included the unusual ability to target four zero-day vulnerabilities in Windows systems. Such flaws can command large amounts of money on the black market, and the ones built into Stuxnet may have been purchased from vulnerability researchers by intelligence agencies.

In fact, Stuxnet has previously been ascribed to a covert U.S.-Israeli "cyberweapons" project code-named Olympic Games, although the White House has never confirmed those allegations (see Report: Obama Ordered Stuxnet Assault).

But sources in "Zero Days" report that a more "aggressive" version of Stuxnet developed by the Israeli team got out of hand, spreading from the Natanz facility to thousands of computers around the world, The Jerusalem Post reports, based on an advance screening of the film.

"Our friends from Israel took a weapon that we developed jointly, among other things in order to defend Israel, and did something crazy with it, and actually blew the operation," a source reportedly says in the film. "We were very furious."

Information Security Media Group was not immediately able to screen an advance copy of the movie.

Targeting Iran's Critical Infrastructure

Stuxnet was designed to target nuclear enrichment centrifuges at Iran's secure Natanz facility.

Beyond Stuxnet

"Zero Days" - citing at least five confidential sources with knowledge of U.S. military or intelligence operations - says that Stuxnet was only part of a much bigger secret program, code-named Nitro Zeus, run by the U.S. Cyber Command and the National Security Agency, BuzzFeed reports, citing not only the movie, but also independent reporting and information contained in documents leaked by former NSA contractor Edward Snowden.

The film's sources said Nitro Zeus was designed to "disrupt, degrade, and destroy" - without leaving clues as to who was responsible - "Iran's industrial facilities, command-and-control, electrical grid, air defense, and transportation," and involved hundreds of personnel, hundreds of millions of dollars in investment and several years of work, BuzzFeed reports.

If the Stuxnet - and now Nitro Zeus - reports are accurate, it means they predate the "Operation Ababil" distributed denial-of-service attack
campaign that primarily targeted U.S. banks, and which began in 2012. Speaking on background, numerous U.S. government sources reportedly ascribed those attacks to Iran, characterizing them as a brazen attempt by the Iranian government to disrupt the U.S. banking infrastructure, when in fact they might be viewed as retaliation for Nitro Zeus (see Whatever Happened to DDoS Phase 4?).

Stuxnet's Legacy

The legacy of the group that developed Stuxnet continues. Last year, Moscow-based security firm Kaspersky Lab reported that its systems had been infected by malware that appeared to be the work of the gang that developed the Stuxnet, which was found in 2010, and the Duqu malware, which was discovered in 2011. Both were designed to target industrial control systems (see Duqu Teardown: Espionage Malware).

Researchers then discovered more apparently connected malware in 2012: Flame, which targeted organizations in the Middle East and predated Stuxnet, as well as Gauss, which targeted online banking users in the Middle East.

Summer Debut

"Zero Days," meanwhile, has been acquired by film distributor Magnolia Pictures, which is planning to release it theatrically this summer in the United States, after which it will have its paid television debut on Showtime, according to The Hollywood Reporter.

Gibney previously directed the 2015 "Going Clear: Scientology and the Prison of Belief" documentary. He also wrote and directed the 2007 documentary "Taxi to the Dark Side," which chronicled U.S. torture and interrogation practices during the war in Afghanistan, for which he won an Oscar in 2008.

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;